Subj : RE: Cabal To : Oli From : NuSkooler Date : Sat Jan 02 2021 12:46 pm On Saturday, January 2nd Oli was heard saying... Ol> Which symmetric key systems that are used in internet software are you Ol> talking about? TLS connections, Signal, Whatsapp, Matrix Olm/Megolm, XMPP Ol> OMEMO are using symmetric keys too, but they don't use the password for Ol> entering a chat as the symmetric key to encrypt the connection and all Ol> messages. TLS uses public key crypto: Any client can communicate with the server that owns the *private* key -- the client must only trust the certificates served. You can use client auth with TLS as well where the server only trusts paritcular client certs. Signal lets users compare pub keys -- you establish trust between two users, then use keys to encrypt. The password in all of the above is in the key material. Users of Cabal do not "enter a password" either. It's there in the hash, which becomes a URL. On Saturday, January 2nd Oli said... Ol> It suggest than a man-in-the middle can capture cabal network traffic and Ol> decrypt everything without even appearing as a participant in the channel Ol> if they know the key. MITM works with public key (e.g. SSL/TLS) crypto via hijacking trust: Decrypt then re-encrypt with new Private Key whilst putting in a Certificate Authority that the client (victim) trusts or hopefully will trust. It's not applicable here. On Saturday, January 2nd Oli muttered... Ol> Or capture traffic and decrypt it later when they Ol> get hold of the key. Having the key in hand isn't some sort of hack, it's having the key in hand... -- >> NuSkooler >> Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh) >> ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 12.13.1) * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121) .